Though Microsoft warns that fixes intended for embedded systems could break things.

Although Microsoft has officially stopped providing free security patches for Windows XP, millions of people haven't got the message and are still running the ancient operating system. As a result of this, there's widespread interest in figuring out ways to get patches, and last week, a registry change started circulating that appeared to reinstate Windows XP's security updates.

In spite of the end of public support, Microsoft is still developing security updates for Windows XP. There are two main demographics that benefit from these fixes. The first are the governments and large corporations that are paying Microsoft large sums of money to gain continued access to hotfixes.

The second are users of Microsoft's various embedded versions of Windows XP. These versions of the operating system are designed for things like ATMs and industrial machinery. The core parts of these operating systems are identical to those from regular, non-embedded Windows XP, and as such, patches that apply to these operating systems will tend to also work on regular Windows.

The registry change works by adding a couple of entries that would normally only be found on one of these embedded versions of Windows XP, specifically Windows Embedded POSReady 2009. POSReady is designed for point-of-service systems such as ATMs, cash registers, and self-service checkouts, but it can do much more than just run POS software; it contains most parts of Windows XP Service Pack 3, and as such, it can serve as a source of Windows XP Service Pack 3-compatible software fixes.

Windows Update sees the registry entries created by the hack and determines that the modified systems are eligible for the POSReady 2009 patches.

Another somewhat more complicated hack reinstates patches on 64-bit Windows XP. 64-bit Windows XP is, more or less, a rebranded version of Windows Server 2003, and Windows Server 2003 remains supported until July 14, 2015. Normally, the updates for Windows Server 2003 block installation on 64-bit Windows XP; the hack involves changing the update temporarily, so that the version check is removed, then quickly reverting the modification, so that the update's own integrity check isn't defeated.

This process is more onerous, and each patch must be downloaded and modified individually.

Microsoft, needless to say, is discouraging users from using these techniques, saying that "The security updates that could be installed are intended for Windows Embedded and Windows Server 2003 customers and do not fully protect Windows XP customers. Windows XP customers also run a significant risk of functionality issues with their machines if they install these updates, as they are not tested against Windows XP."

With POSReady 2009 being built on top of Windows XP Service Pack 3, the lack of testing is unlikely to be a concern to many. A machine with these registry changes is probably going to be more secure than one without, as it should receive at least some security updates that it otherwise wouldn't.

POSReady 2009 incorporates most parts of Windows XP, so we'd tend to expect most future Windows XP updates to become available this way. For example, the hotfix KB2953522, for Internet Explorer 6 through 11, released on this month's Patch Tuesday, isn't available for Windows XP (though it is available for Windows Server 2003 and newer). Switch to POSReady 2009 and the update becomes available.

While POSReady 2009 does include almost all parts of Windows XP, there are portions that may be missing or optional. As a trivial example, POSReady doesn't include either Solitaire or Minesweeper. These components may contain security flaws, and their absence from POSReady means that they're unlikely to receive patches even when using this registry trick.

Longer term, we'd expect other limitations of this technique to become apparent. Although POSReady 2009 is supported until 2019, other versions of XP Embedded have shorter lifetimes. For example, POSReady's predecessor, Windows Embedded for Point of Service, is only supported until April 2016. This may be significant because POSReady 2009 comes with, for example, Internet Explorer 7 and Windows Media Player 11 baked in. As such, we wouldn't expect that systems pretending to be POSReady 2009 will receive Internet Explorer 6 updates after 2016. That won't be a problem for the immediate future, but it might be problematic for anyone who thinks that this trick will give them another five years of Windows XP updates.

Moreover, if this technique spreads and continues to draw Microsoft's disapproval, the company could almost certainly make the version checking more stringent, such that it can't be faked out with a mere registry entry.

We wouldn't recommend running Windows XP in this day and age. Quite aside from the patch issue, it lacks the kind of systemic exploit mitigations found in modern operating systems, meaning it's never going to be as robust and solid as its more modern alternatives.

But if you must run Windows XP for some kind of compatibility reason, this registry hack seems like the best way to run it. There's little point worrying about using an unsupported configuration when the entire operating system is unsupported, and even if the patches really haven't been tested on Windows XP proper, the fact that they've been tested on the Windows XP-based POSReady 2009 should preclude any serious incompatibilities.

And even if the patches don't work, what's the worst that can happen? Nothing a bad patch will do is any worse than what malware will do.